Android security flaw puts Bitcoin users at risk

The Bitcoin Foundation has issued a security advisory warning users that have generated their Bitcoin wallet with an Android app that their Bitcoins can be easily stolen.

The problem lies with the Android implementation of the Java SecureRandom class which, according to Google software developer Mike Hearn who also works on the Bitcoin virtual currency system, makes all private keys generated on Android devices weak and easily worked out by attackers.

As each Bitcoin transaction must be signed with the private key associated with the Bitcoin address of the person that intends to transfer money, it’s easy to see how knowing someone’s cryptographic private key might allow a malicious individuals to empty that person’s wallet.

And when it comes to Bitcoin, no validly signed transaction can be reversed – meaning that the money transferred this way is lost to the original owner forever.

According to The Bitcoin Foundation, all Android Bitcoin apps were affected, but Bitcoin Wallet, Mycelium Wallet and blockchain.info have already been updated to remove the flaw.

“In order to re-secure existing wallets, key rotation is necessary. This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself,” the Foundation noted.

“If you use an Android wallet then we strongly recommend you to upgrade to the latest version available in the Play Store as soon as one becomes available. Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one. If you use Bitcoin Wallet by Andreas Schildbach, key rotation will occur automatically soon after you upgrade. The old addresses will be marked as insecure in your address book. You will need to make a fresh backup.”

This should be done as soon as possible, as there are reports that attacks taking advantage of this flaw might already be happening.